Debian Security Advisory

DLA-1480-1 ruby2.1 -- LTS security update

Date Reported:
27 Aug 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 895778, Bug 851161.
In Mitre's CVE dictionary: CVE-2016-2337, CVE-2018-1000073, CVE-2018-1000074.
More information:

Several vulnerabilities were discovered in Ruby 2.1.

  • CVE-2016-2337

    Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as retval argument can cause arbitrary code execution.

  • CVE-2018-1000073

    RubyGems contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root.

  • CVE-2018-1000074

    RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the gem owner command on a gem with a specially crafted YAML file.

For Debian 8 Jessie, these problems have been fixed in version 2.1.5-2+deb8u5.

We recommend that you upgrade your ruby2.1 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: